Machine Translations

FakeAV is a detection for Trojan horse programs that intentionally misrepresent the security status of a computer. These programs attempt to convince the user to purchase software in order to remove non-existent malware or security risks from the computer. The user is continually prompted to pay for the software using a credit card. Some programs employ tactics designed to annoy or disrupt the activities of the user until the software is purchased.

Symptoms:

Cannot open SEP or any other program.

System utilities like Cmd, Taskmgr, Regedit are disabled.

Receiving Pop-up from another Rogue Antivirus stating there are Virus in the machine and the machine is infected.

3. There would be a folder or a .bat file or an .exe with a random name like VRQWSDJFGK.

4. This folder contains the Fake AV file.

5. If you don't find the folder in above mentioned location, try looking for it in C:\Documents and Settings\All Users\Application Data

6. Once the folder and file are traced, submit the file to Symantec Security Response using the appropriate entitlement.

7. Once the file is submitted successfully, the file can be deleted.

8. Boot the computer in normal mode.

9. If you are not able to access Internet, Correct the proxy settings in Tools > Internet Options > Connections > LAN Settings. Most of the times the Fake AV changes the setting to 'Automatically detect settings'. If there is no proxy server, you may uncheck this setting.

NOTE: It is not recommended to Delete the Threat File manually, as it may result to User profile corruptions.

In many cases, we found that the issue gets resolved, if the User Profile has been deleted and a new User profile is created. This is because, these programs are Trojans and mostly gets installed on the User's Profile (On the folders which the user has access to.).

So, in case, if you have couple of users on the same computer; you may see these programs if the infected user login to his profile and if you switch the profile, you may not see these programs running in another non-infected profile.

However, this case is necessarily not the case everytime. This is a sample based on some infections.

So, In case if you are unable to Find the Suspicious Threat File, you may consider to work on the Article Provided below:

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

Is there a way to protect the hosts file in the computer? In a recent experience I found that there were a bunch of host entries to google.com, symantec.com. (but the IP addresses were pointing to a UK server) Hence LiveUpdate could not function.

We had to correct the issue by resorting to System Restore (1 week back). The host file was not even allowed to be overwriting as it was denying access. Even when I killed the processes, removed the entries and saved it in two minutes I saw those bunch of entries coming up again.

You can block writing to hosts file. 1 condition is that the SEP client needs to have Application and Device Control component installed (a subcomponent of Proactive Threat Protection).

To configure it login to Symantec Endpoint Protection Manager and go to Policies -> Applicatin and Device Control then right-click on an existing Application and Device Control policyand select Edit. In the new window please go to Application Control and enable Block modifications to hosts file. Confirm everything with OK and assign the policy to the groups if needed.

Many times when a PC is infected with FakeAV, it will not allow you to run any legitmate removal programs. Typically, what I do is use Process Explorer to find the malware. If you try to use Process Explorer on an infected system, it will not be allowed as the FakeAV will kill it immediately and alert you that procexp.exe was infected and cannot be run.

A simple trick to get around this is to rename the Process Explorer executable to a legitmate Windows process, winlogon.exe, explorer.exe, svchost.exe, etc. and than run it.

The FakeAV knows not to kill a valid critical Windows process otherwise Windows will likely crash or hang and the virus will not be able to accomplish what it needs to do.

Has worked 95% of the time for me when fighting these types of infections.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.